I set up suricata and while receiving traffic and collecting alerts I noticed that I had false positives and used suppress
How to use it like this:
I created a suppress.rule file and inside this file
suppress gen_id 1; sig_id 1000002; track by_src; IP 192.168.44.129
I put
And inside suricata.yml, I also put the suppress.rule path, but it still produces the warning that I didn’t want.
Hi, @arz_Future ! Welcome to our forum!
I believe you’re supposed to use small IP and commas are to be used so,
suppress gen_id 1, sig_id 1000002, track by_src, ip 192.168.44.129
Please try this and see if the issue still persists.